A critical rounding convention bug in Vesu's Singleton liquidation contract allowed attackers to steal user funds through malicious pool extension contracts, flashloans, and improper handling of the receive_as_shares flag. The vulnerability was discovered via Immunefi bug bounty, remediated by removing the affected liquidation logic and whitelisting pool extensions within 5 days.
This appears to be a landing page or navigation hub for Fraxlend, a DeFi lending protocol, featuring content from Obsidian Audits. The page lacks substantive technical content about specific vulnerabilities or findings.
Compound's liquidation mechanism fails to validate that seized assets are actually held as collateral, allowing liquidators to seize any user assets when borrowing becomes undercollateralized, not just those explicitly marked as collateral via enterMarkets().
A critical protocol insolvency bug in Fringe.fi's lending platform allows borrowers to withdraw collateral without updating accrued interest, leaving the protocol with undercollaterized positions that cannot be liquidated. The vulnerability exploits the fact that updateInterestInBorrowPositions() is only called when withdrawing the maximum amount, enabling attackers to maintain stale accrual values and manipulate their health factor below the required 1.0 threshold.
Iron Bank's seizeInternal() function fails to credit liquidators with the correct collateral amount when seizing tokens, undercounting their collateral and potentially triggering unintended liquidations. The bug stems from only increasing collateral by collateralTokens instead of the full seizeTokens amount, with the difference (buffer) not being accounted for.